KR20180015076A - Information processing apparatus, method of controlling the same, and storage medium - Google Patents

Abstract

The present invention relates to an information processing apparatus having a hardware security module (HSM), comprising: a backup portion; a set portion; and a control portion. The information processing apparatus is able to set an HSM function to be valid under a condition capable of backing up an encrypted key of the HSM, wherein the HSM function is able to encode and decode data using encrypted key of the HSM.

Description

TECHNICAL FIELD [0001] The present invention relates to an information processing apparatus, a control method thereof, and a storage medium,

The present invention relates to an information processing apparatus, a control method thereof, and a storage medium.

Generally, confidential data is encrypted and stored in an information processing apparatus such as a personal computer (PC) and a multi-function peripheral / digital multi-function peripheral (MFP) having a printing function.

Recently, in the case of encrypting / decrypting confidential data contained in this information processing apparatus, there is an information processing apparatus using an encryption key stored in an external hardware security module (HSM) physically connected to the information processing apparatus. For example, the HSM uses a Trusted Platform Module (TPM) compliant with the TCG (Trusted Computing Group) standard. The TPM is a security chip having a tamper resistance capable of securely managing an encryption key.

In general, a device having a TPM encrypts confidential data and manages the key used for the encryption in the TPM, thereby realizing management of confidential data securely. Encryption / decryption using the TPM of this information processing apparatus is hereinafter referred to as "TPM function ". When the TPM function is employed, for example, when a failure or loss of the TPM occurs, the TPM may be exchanged.

Now, for example, when a TPM is exchanged for a new TPM by a failure, the TPM cryptographic key in the new TPM chip is different from the TPM cryptographic key in the old TPM before the failure. Therefore, confidential data in the information processing apparatus encrypted using the TPM encryption key in the old TPM can not be decrypted by the new TPM. Therefore, it is necessary to back up an encryption key managed by the TPM (hereinafter referred to as TPM encryption key). Backup of the TPM encryption key is often performed by connecting an external storage such as USB to the device and storing the TPM encryption key in the connected external storage. For example, if the TPM fails, the TPM of the device is exchanged for a new TPM, the external storage in which the original TPM encryption key is stored is connected to the device, and the TPM encryption key stored in the external storage is used And restores the TPM encryption key to the new TPM.

Japanese Patent Application Laid-Open No. 2015-122720 discloses a technique for backing up a TPM encryption key of a device using the TPM function. According to this technique, since the TPM encryption key is generated after the TPM function is validated, the user who uses the device executes the backup of the TPM encryption key to the external storage such as the USB memory after enabling the TPM function .

However, there is a case where the user forgets to back up the TPM encryption key after enabling the TPM function for the device. This includes, for example, when the TPM function is enabled, the USB memory for backup is not prepared, or the user who has the TPM function enabled and the user who backs up and manages the TPM encryption key are different do. It is also conceivable that a user who did not know the existence of the backup function has enabled the TPM function. Thus, if the TPM is exchanged without backing up the TPM encryption key, the confidential data in the device encrypted using the old TPM encryption key can not be decrypted and used.

One aspect of the present invention overcomes the above-described problems associated with the prior art.

It is a feature of the present invention to provide a technique for preventing a user from forgetting to back up an HSM cryptographic key.

According to a first aspect of the present invention, there is provided an information processing apparatus having a hardware security module (HSM), comprising: a backup unit configured to back up an encryption key of the HSM; and a data encryption / A setting unit configured to set the HSM function to be valid at the time of receiving an instruction to enable the HSM function to be permitted; and a setting unit configured to set the HSM function to be enabled by the backup unit, And a control unit configured to perform control so that the instruction to be valid can be accepted.

According to a second aspect of the present invention, there is provided an information processing apparatus having a hardware security module (HSM), comprising: a backup unit configured to back up an encryption key of the HSM; and an encryption and decryption unit A second judging unit configured to judge whether the HSM function is valid or not; and a second judging unit configured to judge whether or not the cipher key of the HSM is backed up; and a judging unit judging by the first judging unit that the HSM function is valid And a control unit configured to perform control to back up the encryption key of the HSM when it is determined by the second determination unit that the encryption key of the HSM is not backed up.

According to a third aspect of the present invention, there is provided a method of controlling an information processing apparatus having a hardware security module (HSM), comprising the steps of: backing up an encryption key of the HSM; encrypting and decrypting data using the encryption key Setting the HSM function to be valid at the time of receiving an instruction to enable the HSM function that permits the HSM function to be enabled; And controlling the information processing apparatus so that the information can be received.

According to a fourth aspect of the present invention, there is provided a method of controlling an information processing apparatus having a hardware security module (HSM), the method comprising the steps of: backing up the encryption key of the HSM; Setting the HSM function to be valid at the time of receiving an instruction to enable the HSM function permitting encryption and decryption, and setting the HSM function to be valid, provided that the encryption key of the HSM can be backed up There is provided a computer-readable storage medium storing a program for causing a computer to execute a control method including the step of performing control so that the instruction can be accepted.

Further features of the present invention will become apparent from the following detailed description of the embodiments given with reference to the accompanying drawings.

The accompanying drawings, which are incorporated in and form a part of the specification, illustrate exemplary embodiments, features and aspects of the invention and, together with the description, serve to explain the principles of the invention.
1 is a block diagram illustrating an outline of a hardware configuration of a multifunction peripheral according to a first embodiment of the present invention.
2 is a block diagram illustrating a schematic configuration of cryptographic keys and secret data handled by the TPM and the HDD according to the first embodiment.
3 is a flowchart for explaining the startup process of the multifunction apparatus according to the first embodiment.
4 is a flowchart for explaining a process for making the TPM function effective in the multifunction apparatus according to the first embodiment.
5A to 5C are views showing an example of the TPM setting management screen displayed on the operation unit of the multifunction apparatus according to the first embodiment.
Fig. 6 is a flowchart for explaining backup processing of the TPM encryption key in step S411 of Fig. 4 performed by the multifunction apparatus according to the first embodiment.
7 is a diagram showing an example of a screen for inputting a password for backup of the TPM cipher key displayed on the operation unit of the multifunction apparatus according to the first embodiment.
Fig. 8 is a flowchart for explaining the startup process of the multifunction apparatus according to the second embodiment.
9 is a view showing an example of a main menu screen of the functions provided by the multifunction apparatus according to the second embodiment.
10 is a flowchart for explaining a user authentication process performed by the multifunction apparatus according to the second embodiment.
11 is a flowchart for explaining processing and backup processing for making the HSM function effective by the multifunction apparatus according to the third embodiment of the present invention.
12A to 12C are diagrams showing an example of the HSM setting management screen displayed on the operation unit of the multifunction apparatus according to the third embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It is to be understood that the following embodiments are not intended to limit the scope of the claims of the invention and that not all combinations of aspects described in accordance with the following embodiments are necessarily required for the means of solving the problems according to the invention.

In the present embodiment, it is assumed that an external hardware security module (HSM) physically connected to the information processing apparatus uses a TPM (Trusted Platform Module). In this embodiment, a multi-function peripheral / digital multi-function peripheral will be described as an example of an information processing apparatus capable of connecting / using a TPM and having a user authentication function. However, the present invention is not limited to such a multifunction peripheral, but an information processing apparatus capable of connecting / using an HSM such as a TPM and having a user authentication function can be employed.

First Embodiment

1 is a block diagram for explaining an outline of the hardware configuration of the multifunction apparatus 100 according to the first embodiment of the present invention.

The control unit 101 connects the scanner unit 102 which is an image input device and the printer unit 103 which is an image output device and connects to the network 104 or the public line 105 to input and output image information and device information I do.

The CPU 106 is a processor that controls the entire multifunction apparatus 100. The RAM 107 provides a system work memory for the CPU 106 to operate, and is also a memory for temporarily storing image data, user information, passwords, and the like. R0M (108) is the boot ROM and stores the boot program. The HDD 109 is a hard disk drive, and stores programs, applications, image data, and the like executed by the CPU 106. [ Programs for executing the flowcharts described later according to the embodiment are also stored in the HDD 109. [ Each step of the flowchart according to the embodiment is achieved by causing the CPU 106 to expand the program stored in the HDD 109 to the RAM 107 and executing the program. However, a processor other than the CPU 106 may execute the steps of the flowchart, or the CPU 106 and other processors may cooperate to execute the processing of the flowchart.

The operation unit interface 110 controls the interface with the operation unit 111 having the touch panel to output the image data to be displayed on the operation unit 111 to the operation unit 111 and also displays the image data inputted by the user via the operation unit 111 And transfers the information to the CPU 106. The network interface 112 connects to the network 104 and performs input / output of information via the network 104. [ The modem 113 connects to the public line 105 and inputs / outputs information with other devices via the public line 105. [ The SRAM 114 is a nonvolatile recording medium that can operate at high speed. The RTC 115 is a real time clock and performs processing for continuously counting the current time even when power is not supplied to the control unit 101. [ The above devices are placed on the system bus 116.

The image bus I / F 117 is a bus bridge that connects the system bus 116 and the image bus 118 that transfers image data at high speed, and converts the data structure. The image bus 118 is composed of a PCI bus or IEEE 1394, and the following devices are arranged on the image bus 118. The RIP unit 119 is a raster image processor, and develops the PDL code into a bitmap image. The device I / F unit 120 connects the scanner unit 102 and the printer unit 103 to the control unit 101, and performs conversion between the moving machine and the non-moving machine with respect to the image data. The scanner image processing unit 121 performs correction, processing, and editing on the image data input from the scanner unit 102. [ The printer image processing unit 122 performs correction, resolution conversion, and the like on the image data output to the printer unit 103. [ The TPM 123 allows the use of the TPM cryptographic key (TPM function). The USB connection unit 124 connects to the USB memory 125 (external memory) and performs data input / output with the USB memory 125.

2 is a block diagram for explaining a schematic configuration of cryptographic keys and secret data handled by the TPM 123 and the HDD 109 according to the first embodiment. 2 shows a schematic configuration of the TPM 123 and has a TPM root key 201, a TPM cryptographic key 202 and a TPM register 203. [ 2 shows a schematic configuration of data related to the TPM function and stored in the HDD 109. The data includes a device encryption key 211, a device encryption key blob 212, (213).

Confidential data handled by the multifunction apparatus 100 is encrypted using the device encryption key 211 in the first embodiment. This secret data includes not only personal data such as image data and address book of the multifunction apparatus 100 but also individual encryption keys and certificates handled by the application software of the multifunction apparatus 100 and a password of the user authentication function, Do not.

The device encryption key 211 is encrypted using the TPM encryption key 202. Further, this TPM encryption key 202 is encrypted using the TPM root key 201. The TPM root key 201 can be overwritten or deleted by an external access, can not be extracted, and can be used only for encryption. With this chain of cipher keys, it is possible to realize strong security with tamper resistance. When the TPM 123 is connected to the multifunction apparatus 100 for the first time at the time of shipment from the factory, the TPM 123 does not have the TPM encryption key 202 therein. The CPU 106 generates an encryption key and inputs the encryption key to the TPM 123 as a TPM encryption key when the multifunction apparatus 100 is initially started. In this way, within the TPM 123, the TPM encryption key 202 is encrypted using the TPM root key 201 and associated with the TPM root key 201. When the CPU 106 inputs the TPM encryption key 202 to the TPM 123, the information is stored in the TPM register 203 and the TPM 123 outputs the encryption key blob to the CPU 106 . These items are used for verification of the legitimacy of the TPM cipher key 202, and will be described later in the description of the processing in Fig.

At this time, the configuration of these keys in the first embodiment is merely an example, and the present invention is not limited thereto. For example, the TPM root key does not exist in the TPM, and the TPM encryption key is only stored, or the TPM root key and the TPM encryption key are used to secure the encryption key in the TPM more securely May be employed. Further, the confidential data of the HDD 109 may be directly encrypted with the TPM encryption key, instead of being encrypted with the device encryption key encrypted with the TPM encryption key.

Next, verification control of the validity of the encryption key of the TPM 123 performed at the start of the multifunction apparatus 100 according to the first embodiment will be described with reference to Figs. 1 to 3. Fig. At this time, the processing of the multifunction apparatus 100 according to the present embodiment is controlled by the CPU 106 in the multifunction apparatus 100. [

3 is a flow chart for explaining the startup process of the multifunction apparatus 100 according to the first embodiment. At this time, this processing is achieved by the CPU 106, for example, expanding the program stored in the HDD 109 in the RAM 107 and executing this program.

First, in step S301, the CPU 106 acquires the TPM setting of the multifunction apparatus 100 from the SRAM 114. [ This TPM setting is setting information that indicates whether the TPM function of the multifunction apparatus 100 is valid or invalid. Next, proceeding to step S302, the CPU 106 determines whether the TPM setting obtained in step S301 is valid or not. If the CPU 106 determines that the TPM setting is invalid in step S302, this processing is terminated. On the other hand, if the CPU 106 determines in step S302 that the TPM setting is valid, the procedure proceeds to step S303, and the CPU 106 verifies the validity of the encryption key.

In the first embodiment, the TPM cipher key 202 and the device encryption key 211 of the TPM 123 are set as the verification target. Since the TPM cryptographic key 202 is a key obtained by encrypting the device encryption key 211 of the HDD 109 using the TPM root key 201, the TPM cryptographic key 202 is verified as a TPM root key (201) and confirms whether the device encryption key 211 is obtained or not. As described above, the TPM cipher key 202 of the TPM 123 is input by the CPU 106 and is encrypted by the TPM root key 201. At this time, when the CPU 106 generates the TPM encryption key 202 and stores the TPM encryption key 202 in the TPM 123, the CPU 106 acquires the encryption key blob 212 from the TPM 123 And stores this cryptographic key blob 212 in the HDD 109. [ At this time, information associating the cipher key blob 212 with the TPM 123 is also stored in the TPM register 203 of the TPM 123. [ Therefore, in step S303, the CPU 106 inputs the cryptographic key blob 212 stored in the HDD 109 to the TPM 123. [ Accordingly, the TPM 123 compares the inputted cryptographic key blob 212 with the related information stored in the TPM register 203. [ If they match, it is confirmed that the TPM encryption key 202 of the TPM 123 and the device encryption key 211 stored in the HDD 109 are related.

At this time, the process of confirming the validity of the encryption key is merely an example, and the process is not limited to this process. For example, the CPU 106 holds a copy of the device encryption key in the TPM register 203, and the CPU 106 inputs the device encryption key 211 into the TPM 123 and transfers the device encryption key 211 to the TPM register 203 ) With the device encryption key. In this way, it may be checked whether the device encryption key 211 of the HDD 109 is associated with the TPM encryption key 202 of the TPM 123.

After the processing of step S303, the procedure proceeds to step S304, and the CPU 106 determines whether or not the cryptographic key handled by the CPU 106 can be used normally by verifying the validity of the cryptographic key. If the CPU 106 determines in step S304 that the cryptographic key is normally available by verification of the validity of the cryptographic key, the process is terminated. On the other hand, if the CPU 106 determines in step S304 that the cryptographic key to be handled by the validity of the cryptographic key can not normally be used, the procedure proceeds to step S305, An error screen (not shown here) is displayed, and this process is terminated.

The above-described processing is the validity verification processing of the TPM encryption key at the start-up processing of the multifunction apparatus 100. [ At this time, as an example of the case where the encryption key can not be normally used as in step S305, the chip / main board is replaced by a failure of the TPM chip or a failure of the main board in which the TPM chip is connected or the TPM chip is embedded, 100) is started up.

Next, control for making the TPM function according to the first embodiment effective will be described with reference to Figs. 1, 4, and 5A to 5C.

Fig. 4 is a flowchart for explaining a process for making the TPM function valid in the multifunction apparatus 100 according to the first embodiment. At this time, this processing is achieved by the CPU 106, for example, expanding the program stored in the HDD 109 in the RAM 107 and executing this program.

First, in step S401, the CPU 106 receives a display instruction of the TPM setting management screen (Figs. 5A to 5C) from the operation unit 111. Fig. Next, the procedure proceeds to step S402, where the CPU 106 acquires the TPM settings stored in the SRAM 114. [ Next, the procedure proceeds to step S403, and the CPU 106 determines whether or not the acquired TPM setting is set as valid. If the TPM setting is determined to be valid, the process proceeds to step S412; otherwise, the process proceeds to step S404, and the CPU 106 determines whether the USB memory 125 is connected to the USB connection unit 124 . If the CPU 106 determines in step S404 that the USB memory 125 is not connected to the USB connection unit 124, the process proceeds to step S405. In step S405, the CPU 106 displays on the operation unit 111 a message requesting the user to connect the USB memory 125 to the USB connection unit 124, and proceeds to step S404.

5A is a diagram showing an example of a TPM setting management screen displayed on the operation unit 111 of the multifunction apparatus 100 according to the first embodiment.

Here, an example is shown in which a message requesting the user to connect the USB memory 125 capable of backing up the TPM encryption key to the USB connection unit 124 is displayed in order to make the TMP setting effective. This screen includes an item 501 of the current TPM setting and a button 502 that enables the TPM setting. 5A in the state of the step S405, since the USB memory 125 is not connected, the button 502 for making the TPM setting valid is laid out and displayed so that the button 502 can not be depressed.

If the CPU 106 determines in step S404 that the USB memory 125 is connected to the USB connection unit 124, the CPU 106 proceeds to step S406, And proceeds to step S407. In step S407, the CPU 106 determines whether or not the TPM encryption key can be backed up in the storage area of the USB memory 125. [ When it is determined in step S407 that the TPM encryption key can not be backed up, the process proceeds to step S405. Here, the TPM encryption key can not be backed up when, for example, there is no empty storage area in the USB memory 125, or when the user does not have the right to record in the storage area, the USB And the TPM encryption key can not be recorded in the memory 125. [

In this case, in the first embodiment, the backup destination of the TPM encryption key is assumed to be the USB memory, but the backup destination may be a storage other than the USB memory, and is not particularly limited. For example, memory media such as USB-HDD and SD card, SMB via network, and cloud storage area may be used.

On the other hand, if the CPU 106 determines in step S407 that the TPM encryption key can be backed up in the storage area of the USB memory 125, the CPU 106 proceeds to step S408, The button 502 for enabling the TPM setting of the screen is displayed so as to be depressed. Fig. 5B shows an example in which the layout state of the button 502 for enabling the TPM setting is released on the TPM setting management screen, and the button 502 is displayed so as to be depressed. Fig.

Next, proceeding to step S409, the CPU 106 determines whether or not the button 502 for validating the TPM setting is pressed. If the CPU 106 determines in step S409 that the button 502 has been pressed, the process proceeds to step S410, and the CPU 106 makes the TPM setting valid. Then, in step S411, the CPU 106 executes backup processing of the TPM encryption key.

In the first embodiment, when the TPM setting becomes valid, the CPU 106 outputs an instruction to the TPM 123 to generate the TPM encryption key. Accordingly, the TPM 123 generates the TPM encryption key, and outputs the encryption key blob 212 to the CPU 106. [ The setting information indicating that the setting of the TPM function is valid is stored in the SRAM 114 by the CPU 106. [

If the user makes the TPM function valid in steps S404 to S411, the TPM encryption key generation process is executed on condition that the TPM encryption key can be backed up in advance. This has the effect of preventing the user from forgetting to back up the TPM encryption key.

Next, the backup processing of the TPM encryption key in step S411 will be described with reference to Figs. 1, 6, and 7. Fig.

Fig. 6 is a flowchart for explaining backup processing of the TPM encryption key in step S411 of Fig. 4 performed by the multifunction apparatus 100 according to the first embodiment.

In step S601, the CPU 106 displays a screen for inputting a password for backup of the TPM cipher key on the operation unit 111, and accepts the input of the password at the time of backup of the TPM cipher key.

7 is a view showing an example of a screen for inputting a password for backup of the TPM encryption key displayed on the operation unit 111 of the multifunction apparatus 100 according to the first embodiment.

The password input from the operation unit 111 is masked by "*" and is displayed on the password input frame 701. [ Here, when the user presses the OK button 702, the CPU 106 accepts a backup execution instruction of the TPM encryption key together with a password for backup of the TPM encryption key. In the first embodiment, this password information is held in the SRAM 114 by the CPU 106. [ In the first embodiment, it is assumed that the same password is input twice to prevent erroneous setting.

When the CPU 106 determines in step S602 that the input of the password has been completed, the CPU 106 proceeds to step S603, and the CPU 106 encrypts the TPM encryption key based on the password stored in the SRAM 114 , The procedure goes to step S604. It is assumed that the encryption using the password in the first embodiment is performed in PKCS # 12 (Public Key Cryptography Standard # 12) format. At this time, in the first embodiment, the backup of the TPM encryption key is performed by a password encryption method based on password information specified by the user, but the present invention is not limited to this. For example, the TPM cryptographic key may be protected with a public key and a secret key using a fixed password, a common key, or a PKI mechanism held in the multifunction apparatus 100 in advance.

Next, proceeding to step S604, the CPU 106 forms the encrypted TPM encryption key into an output file format, backs up the encrypted TPM encryption key, archives the file, and proceeds to step S605 do. In the first embodiment, before the restoration of the TPM encryption key, which will be described later, the file to be output is archived by attaching an identification header to this file in order to identify the file as the encrypted TPM encryption key file. In the first embodiment, this data is referred to as TPM cryptographic key backup data.

In step S605, the CPU 106 writes the TPM encryption key backup data into the USB memory 125. The CPU 106 proceeds to step S606 to determine whether or not the TPM encryption key backup data could be normally recorded in the USB memory 125 and that the recording in the USB memory 125 failed If judged, the procedure goes to step S607. In step S607, the CPU 106 displays a recording error on the operation unit 111, proceeds to step S601, and repeats the backup processing.

On the other hand, if it is determined in step S606 that the backup to the USB memory 125 has succeeded, the process proceeds to step S608, and the CPU 106 stores the backup completion flag in the SRAM 114, and then proceeds to step S609 do. In step S609, the CPU 106 displays a message indicating that the backup of the TPM encryption key is completed on the operation unit 111, and ends the TPM encryption key backup process.

At this time, in the first embodiment, it is assumed that the screen is automatically switched to the input screen of the password for the TPM cipher key backup in Fig. 7 when the button 502 for enabling the TPM setting is pressed. However, it is also possible to employ a configuration in which the screen is not transited automatically, and the screen is transited according to an instruction of the user to perform backup.

Next, the description returns to Fig.

When the backup of the TPM encryption key is completed in this way, the process proceeds to step S412 of FIG. 4, and the CPU 106 displays a message indicating that the TPM setting is validated on the operation unit 111. FIG.

5C is a diagram showing an example of the TPM setting screen when the TPM setting is validated.

5C shows an example in which the current TPM setting item 501 is changed to "ON ", and the button 502 for enabling the TPM setting is displayed in its layout and can not be pressed.

At this time, it is assumed that the TPM setting of the first embodiment and the backup of the TPM encryption key can be performed only by the user having the administrator authority. Therefore, the TPM setting management screen shown in Figs. 5A to 5C is displayed only when a user with administrator authority logs in.

As described above, according to the first embodiment, the user can change the TPM setting from the invalid state to the valid state, provided that the TPM encryption key can be backed up in the information processing apparatus having the TPM function . Thus, after the TPM setting is made valid, it is possible to prevent the user from forgetting to back up the TPM encryption key.

Second Embodiment

Next, a second embodiment of the present invention will be described. In the above-described first embodiment, when the TPM setting of the multifunction apparatus 100 is made valid, it is premised that the user operates the operation unit 111. However, in place of making the TPM setting effective only by the setting from the local UI, the TPM setting may be remotely enabled. One example is when the administrator setting including the TPM setting of the multifunction apparatus 100 is imported as data via the network. In such a case, it is not realistic that the TPM function can not be validated unless a storage such as a USB memory is connected, if an instruction is remotely given as in the first embodiment. On the other hand, even when the storage is not connected, there is a possibility that a situation in which the TPM encryption key is not backed up may occur when a configuration is adopted that enables the TPM setting to be remotely enabled.

Accordingly, in the second embodiment, when an instruction to validate the TPM setting is received from the remote device via the network, the TPM setting is permitted to be validated even if storage is not connected. The user is prompted to back up the TPM encryption key when the multifunction apparatus 100 having the TPM setting validated in the state where the TPM encryption key is not backed up is activated or when the user authentication is performed in the multifunction apparatus 100 in this state , Thereby inhibiting the user from forgetting to back up the TPM encryption key. At this point, the configuration of the multifunction apparatus 100 and the TPM 123 according to the second embodiment, the TPM encryption key back-up process, and the like are not described in the second embodiment as in the first embodiment. Hereinafter, the processing when the TPM setting is validated when an instruction to make the TPM setting valid is received from the remote device will be described. Also in the second embodiment, when the user attempts to validate the TPM setting from the operation unit 111 of the multifunction apparatus 100, the multifunction apparatus 100 executes the process of the first embodiment.

8 is a flow chart for explaining the startup process of the multifunction apparatus 100 according to the second embodiment. At this time, this processing is achieved by the CPU 106, for example, expanding the program stored in the HDD 109 in the RAM 107 and executing this program. The processing in Fig. 8 differs from the flowchart in Fig. 3 according to the first embodiment described above in that the processing in steps S806 and S807 is added. The process to be added is a process for displaying a backup instruction when the TPM encryption key is not backed up, and its details will be described later. The processing in steps S801 to S805 in the flowchart of Fig. 8 according to the second embodiment is similar to the processing in steps S301 to S305 in Fig. 3 of the first embodiment, and therefore, a description thereof will be omitted.

If the CPU 106 determines in step S804 that the cryptographic key handled by the CPU 106 by the verification of the validity of the cryptographic key is normally available, the procedure goes to step S806. In step S806, the CPU 106 refers to the backup completion flag stored in the SRAM 114 to determine whether or not the TPM encryption key has been backed up. The backup completion flag is information stored in the SRAM 114 by the CPU 106 in the above-described step S608 of the first embodiment. If the CPU 106 determines in step S806 that the TPM encryption key has been backed up, the process is terminated. On the other hand, if the CPU 106 determines in step S806 that the TPM encryption key has not been backed up, the CPU 106 advances the processing to step S807, and the CPU 106 displays on the operation unit 111 a screen for instructing backup of the TPM encryption key And this process is terminated.

9 is a diagram showing an example of a main menu screen of functions provided by the multifunction apparatus 100 according to the second embodiment. This screen is displayed on the operation unit 111 by the CPU 106 at the start of the multifunction apparatus 100. In the second embodiment, a backup instruction message 902 is displayed in the area of the status line 901 of the main menu screen, and a screen prompting the user to back up the TPM encryption key is displayed.

Accordingly, the user of the multifunction apparatus 100 can recognize that the TPM encryption key has not been backed up, and can take appropriate action.

Next, the control performed when the administrator performs the user authentication for the multifunction apparatus 100 will be described.

10 is a flowchart for explaining a user authentication process performed by the multifunction apparatus 100 according to the second embodiment. At this time, this processing is achieved by the CPU 106, for example, expanding the program stored in the HDD 109 in the RAM 107 and executing this program.

First, in step S1001, the CPU 106 displays a login screen on the operation unit 111, and proceeds to step S1002. In step S1002, the CPU 106 accepts input of user information and a password from the user via the operation unit 111. [ The user information and the password thus input are held in the RAM 107. [ In the second embodiment, the RAM 107 is used for temporarily storing user information and a password. However, other devices capable of storing data such as the HDD 109 may be used, but are not limited thereto. The third embodiment to be described later is not similarly limited. In the second embodiment, the CPU 106 encrypts the password associated with the user information for user authentication using the device encryption key 211, and stores this password in the HDD 109. [

Next, the procedure proceeds to step S1003, and the CPU 106 obtains the encrypted password information related to the input user information from the HDD 109, decrypts the password information, and stores the password information in the input password It is verified whether or not the password is a correct password, and the procedure is executed in step S1004. In the second embodiment, the decryption of the encrypted password by the CPU 106 is performed using the device encryption key 211. In addition, the device encryption key 211 is encrypted using the TPM encryption key 202 of the TPM 123. The CPU 106 obtains and uses the device encryption key decrypted by the TPM encryption key 202 by inputting the encrypted device encryption key 211 to the TPM 123. [ The TPM encryption key 202 is encrypted with the TPM root key 201. When the TPM encryption key 202 is used, the TPM encryption key 202 is decrypted using the TPM root key 201.

In step S1004, the CPU 106 authenticates the user using the user information and the password input in step S1002. If the authentication fails, the CPU 106 displays an error on the operation unit 111, and the procedure goes to step S1002. . On the other hand, when the CPU 106 determines in step S1004 that the inputted user information and password are correct and the user is successfully authenticated, the CPU 106 proceeds to step S1005, ). ≪ / RTI > Next, proceeding to step S1006, the CPU 106 causes the RAM 107 to retain the user information of the logged-in user, and proceeds to step S1007. In step S1007, the CPU 106 acquires the TPM setting from the SRAM 114 and executes the procedure to step S1008.

In step S1008, the CPU 106 determines whether or not the TPM setting acquired from the SRAM 114 is set to valid. Here, if the CPU 106 determines that the TPM setting is invalid, the CPU 106 ends this processing. On the other hand, if the CPU 106 determines in step S1008 that the TPM setting is valid, the CPU 106 proceeds to step S1009 to determine whether the TPM encryption key has been backed up from the SRAM 114 . At this time, as described in the first embodiment, it is determined whether or not the TPM encryption key has been backed up according to whether the backup completion flag stored in the SRAM 114 is on or not. If it is determined that the TPM encryption key has been backed up, the process is terminated. On the other hand, if the CPU 106 determines in step S1009 that the TPM encryption key has not been backed up, the process proceeds to step S1010, and the CPU 106 determines whether the logged-in user has the administrator authority. If it is determined that the user has administrator authority, the process proceeds to step S1011, and the CPU 106 displays a screen prompting the user to backup the TPM encryption key. In the second embodiment, the input screen of the password for the TPM cryptographic key back-up shown in Fig. 7 described above is displayed on the operation unit 111. Fig. The subsequent TPM encryption key backup processing is similar to the processing in the first embodiment described above. In step S1012, the CPU 106 executes backup processing of the TPM encryption key, similarly to the flowchart of Fig. 6 described above, and ends this processing.

By this processing, it is possible to inhibit the user from forgetting to back up the TPM encryption key by urging the user to back up the TPM encryption key when the logged-in user is an administrator and the TPM encryption key is not backed up. In this case, in the second embodiment, a screen for prompting the backup immediately after the authentication of the user is displayed on the operation unit 111, but the present invention is not limited to this. For example, when the user operates the management setting of the multifunction apparatus 100, such a screen may be displayed when the display of the operation unit 111 transits to the management screen.

If the CPU 106 determines in step S1010 that the logged-in user does not have the administrator authority, the process is terminated. In the second embodiment, this is because the backup of the TPM cryptographic key is assumed to be executed only by the user having the administrator authority.

At this time, in the second embodiment, other functions such as the copy function provided by the multifunction apparatus 100 can be executed without backing up the TPM encryption key. However, if the TPM encryption key is not backed up, a button such as a copy button provided on the main menu screen shown in Fig. 9 can not be operated, and a specification in which execution of a predetermined function is not permitted may be adopted. Do not.

As described above, according to the second embodiment, when the multifunction apparatus 100 in which the TPM setting is valid in the state that the TPM encryption key is not backed up is activated or when the user is authenticated in this state, the TPM encryption key To the user. Thus, it is possible to prevent the user from forgetting to back up the TPM encryption key when the user makes the TPM setting valid, for example, remotely, differently from the first embodiment.

Third Embodiment

Next, a third embodiment of the present invention will be described. In the above-described first and second embodiments, since the TPM encryption key is generated after the TPM setting is made effective in the multifunction apparatus 100 having the TPM function, the backup can be performed only after the TPM setting is made valid . However, there may be another HSM (Hardware Security Module) that generates a cryptographic key (HSM cryptographic key) before validating the function (hereinafter HSM function). Thus, in the third embodiment, control for suppressing the user from forgetting to back up the HSM encryption key in the multifunction apparatus 100 capable of generating / backing up the HSM encryption key before the HSM function is enabled will be described. Hereinafter, in the third embodiment, differences from the first and second embodiments described above will be described.

11 is a flowchart for explaining processing and backup processing for making effective the HSM function performed by the multifunction apparatus 100 according to the third embodiment of the present invention. At this time, this processing is achieved by the CPU 106, for example, expanding the program stored in the HDD 109 in the RAM 107 and executing this program.

First, in step S1101, the CPU 106 accepts a display instruction of the HSM setting management screen from the operation unit 111. [ Next, the procedure proceeds to step S1102, and the CPU 106 acquires the HSM setting from the SRAM 114. [ Next, in step S1103, the CPU 106 determines whether the HSM setting acquired from the SRAM 114 is valid. If the CPU 106 determines in step S1103 that the acquired HSM setting is invalid, the CPU 106 advances the procedure to step S1104, and the CPU 106 sends a message requesting the user to back up the HSM encryption key to the operation unit 111 in advance And the process proceeds to step S1105.

In step S1105, the CPU 106 determines whether or not the HSM encryption key has been backed up. In this case, similarly to the above-described step S806, it is determined whether or not the HSM encryption key has been backed up depending on whether the backup completion flag stored in the SRAM 114 is on or not. If it is determined that the HSM encryption key has not been backed up, the procedure proceeds to step S1106, where the CPU 106 receives backup of the HSM encryption key and proceeds to step S1107.

12A is a diagram showing an example of the HSM setting management screen displayed on the operation unit 111 of the multifunction apparatus 100 in step S1106 of Fig. Here, a message requesting the user to backup the HSM encryption key in advance is displayed, and the current HSM setting 1203 is off. Here, as shown in Fig. 12A, the button 1202 for instructing execution of backup of the HSM cryptographic key is displayed in an operable state, and the button 1201 for making the HSM setting effective is not displayed in the layout Respectively.

In step S1107, the CPU 106 operates the button 1202 to determine whether or not the execution of backup of the HSM cryptographic key is instructed. If it is determined that the backup of the HSM cryptographic key has been instructed, the CPU 106 proceeds to step S1108 And performs backup processing of the HSM encryption key. In the backup process of the HSM encryption key, the backup of the TPM encryption key is changed to the backup of the HSM encryption key. This process is basically similar to the step S411 of the first embodiment described above.

On the other hand, if the CPU 106 determines in step S1105 that the HSM encryption key has been backed up, the CPU 106 advances the processing to step S1109, and the CPU 106 receives an instruction to validate the HSM setting and returns to step S1110 Proceed with the procedure.

12B is a diagram showing an example of the HSM setting management screen displayed on the operation unit 111 of the multifunction apparatus 100 in step S1109 of Fig.

Here, since the HSM encryption key has been backed up, the layout state of the button 1201 for making the HSM setting valid is canceled and the button 1201 can be pressed. In Fig. 12B, the button 1202 for instructing execution of backup of the HSM encryption key is displayed in its layout so that it can not be operated.

In step S1110, the CPU 106 determines whether the HSM setting is instructed to be valid by pressing the button 1201 for making the HSM setting valid. If the CPU 106 determines that the button 1201 for validating the HSM setting is pressed, the CPU 106 advances the procedure to step S1111, validates the HSM setting, and proceeds to step S1112. By adopting such a configuration that the HSM setting can not be made valid unless the HSM cryptographic key is backed up, it is possible to prevent the user from forgetting to back up the HSM cryptographic key.

Next, in step S1112, the CPU 106 displays a state where the setting of the HSM function is validated on the HSM setting management screen.

12C is a diagram showing an example of the HSM setting management screen displayed on the operation unit 111 of the multifunction apparatus 100 in step S1112 of Fig. 11, and shows an example of a screen showing that the HSM setting is enabled .

12C, since the HSM setting is valid and the HSM encryption key has been backed up, the current HSM setting 1203 is set to ON, and the layout of the button 1201 for making the HSM setting valid is displayed in its layout have. In addition, the button 1202 for instructing execution of backup of the HSM encryption key is displayed in its layout so that it can not be operated.

As described above, according to the third embodiment, in the multifunctional apparatus capable of backing up the HSM cipher key before the HSM setting becomes valid, the HSM setting can not be made effective unless the HSM cipher key is necessarily executed. Configuration can be adopted. This makes it possible to prevent the user from forgetting to back up the HSM encryption key when the HSM setting is made valid.

Other Embodiments

Embodiments of the present invention may be practiced using computer executable programs (e.g., computer readable instructions) recorded on a storage medium (which may be referred to as " non-volatile computer readable storage medium ") for performing one or more functions of the above- (E.g., an application specific integrated circuit (ASIC)) that reads and executes possible instructions (e.g., one or more programs) and / or performs one or more functions of the above- For example, by reading and executing computer-executable instructions from a storage medium to perform one or more functions of the above-described embodiment (s), such as by a computer of the system or apparatus The computer may comprise one or more central processing units (CPUs), microprocessors (MPUs), or other circuitry, and may be implemented in a network of discrete computers The computer-executable instructions may, for example, be presented to a computer from a network of storage media. The storage medium may comprise, for example, one or more hard disks, a random access memory RAM), read only memory (ROM), a distributed computing system storage, an optical disk (a compact disc (CD), digital versatile disk (DVD), or Blu-ray disc (BD), ^TM, etc.), flash memory device, a memory card, etc. .

The present invention provides a program or a program for realizing one or more functions of the above-described embodiments to a system or an apparatus via a network or a storage medium, and in the computer of the system or apparatus, . It may also be implemented by a circuit (for example, an ASIC) that realizes one or more functions.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to those embodiments. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications, equivalent structures and functions.

Claims (12)

An information processing apparatus having a hardware security module (HSM)
A backup unit configured to back up the encryption key of the HSM;
A setting unit configured to set the HSM function to be valid upon reception of an instruction to enable an HSM function that allows data encryption and decryption using the encryption key of the HSM;
And a control unit configured to perform control so that the instruction to enable the HSM function can be accepted on condition that the backup unit is capable of backing up the encryption key of the HSM.
The method according to claim 1,
And when the setting unit sets the HSM function to be valid, the control unit performs control to back up the encryption key of the HSM by the backup unit.
The method according to claim 1,
Wherein the control unit determines whether or not the external memory for storing the encryption key of the HSM is connected or whether the external memory has an empty storage area for storing the encryption key of the HSM, And judges whether backup of the encryption key of the HSM is possible or not.
The method according to claim 1,
Further comprising a display unit configured to display an instruction unit for giving an instruction to enable the HSM function,
Wherein the display unit is operable to display the instruction unit in an operable manner when the instruction to validate the HSM function is receivable and the instruction unit to be operable when the instruction to validate the HSM function is not receivable Information processing apparatus.
An information processing apparatus having a hardware security module (HSM)
A backup unit configured to back up the encryption key of the HSM;
A first judging unit configured to judge whether the HSM function permitting encryption and decryption of data is valid by using the cipher key of the HSM;
A second determination unit configured to determine whether the encryption key of the HSM is backed up,
The control unit performs control to back up the encryption key of the HSM when it is determined by the first determination unit that the HSM function is valid and the second determination unit determines that the encryption key of the HSM is not backed up And a control unit configured to control the information processing apparatus.
6. The method of claim 5,
Wherein the control unit displays a screen prompting a user to back up the encryption key of the HSM.
6. The method of claim 5,
Wherein the first determination unit determines whether or not the HSM function is valid when the user logs in.
6. The method of claim 5,
When the second judging unit judges that the HSM function is not valid and that the encryption key of the HSM is not backed up, the control unit judges that the backup of the encryption key of the HSM And further performs control to display a screen for accepting the instruction.
6. The method of claim 5,
When the HSM function is judged to be invalid by the first judging unit and the second judging unit judges that the cipher key of the HSM has been backed up, the control unit makes the HSM function valid at the time of control And further performs control to display a screen for accepting the instruction.
The method according to claim 1,
Wherein the backup unit backs up the encryption key of the HSM according to an instruction from a user having an administrator authority.
A control method for an information processing apparatus having a hardware security module (HSM)
Backing up the encryption key of the HSM;
Setting the HSM function to be valid upon receipt of an instruction to enable the HSM function to permit data encryption and decryption using the encryption key of the HSM;
And performing control so that the instruction to enable the HSM function can be accepted on condition that backup of the encryption key of the HSM is possible.
The processor,
A control method for an information processing apparatus having a hardware security module (HSM)
Backing up the encryption key of the HSM;
Setting the HSM function to be valid upon receipt of an instruction to enable the HSM function to permit data encryption and decryption using the encryption key of the HSM;
And performing control so that the instruction to enable the HSM function can be accepted on condition that the encryption key of the HSM can be backed up.

Images